1

I've installed a signed SSL certificate and can log in over HTTPS without any problems. Now I'm trying to disable access via HTTP. One idea is to just remove the port 80 connector from the server.xml file, but some users don't log in for months at a time, so I'd prefer something a bit more user friendly. Following advice found on the web, I've tried changing the connector in the server.xml file to this:

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           compression="2048" compressableMimeType="text/"
           redirectPort="443" URIEncoding="UTF-8"/>

and adding this to the web.xml file:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Context</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!-- auth-constraint goes here if you requre authentication -->
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

When I try to access any of the web pages via HTTP, I get a "You don't belong here" message from the application over HTTP, not the web page I'm tying to access and not over HTTPS. Any ideas what I'm doing wrong? Thanks!

samwyse
  • 2,760
  • 1
  • 27
  • 38
  • 1
    See: https://stackoverflow.com/questions/33208796/redirect-http-to-httpsport-in-tomcat you need to use a redirection filter, Connectior is not a redirector. – AlexC Apr 13 '17 at 12:59
  • The in my web.xml file is a type of redirection filter. – samwyse Apr 13 '17 at 15:19

0 Answers0